From 62883b1e2153281f9eeb82a35cac773c24dd24c1 Mon Sep 17 00:00:00 2001 From: suresh Date: Fri, 12 Jun 2026 13:59:15 -0700 Subject: [PATCH] Switch from granting broad public access to CloudFront access to Objects in the content bucket. Co-authored-by: Claude --- cicd/3-app/javabuilder/template.yml.erb | 30 ++++++++++++++++++++----- 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/cicd/3-app/javabuilder/template.yml.erb b/cicd/3-app/javabuilder/template.yml.erb index 7ece8203..6e9b5c7a 100644 --- a/cicd/3-app/javabuilder/template.yml.erb +++ b/cicd/3-app/javabuilder/template.yml.erb @@ -487,16 +487,32 @@ Resources: Status: Enabled ExpirationInDays: 1 + ContentOriginAccessControl: + Type: AWS::CloudFront::OriginAccessControl + Properties: + OriginAccessControlConfig: + Name: !Sub "${SubdomainName}-${BaseDomainName}-content-oac" + OriginAccessControlOriginType: s3 + SigningBehavior: always + SigningProtocol: sigv4 + ContentBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ContentBucket PolicyDocument: + Version: '2012-10-17' Statement: - - Action: ['s3:GetObject'] - Effect: Allow - Resource: !Sub "arn:aws:s3:::${ContentBucket}/*" - Principal: '*' + - Sid: AllowCloudFrontRead + Effect: Allow + Principal: + Service: cloudfront.amazonaws.com + Action: + - s3:GetObject + Resource: !Sub "arn:aws:s3:::${ContentBucket}/*" + Condition: + StringEquals: + AWS:SourceArn: !Sub "arn:aws:cloudfront::${AWS::AccountId}:distribution/${ContentCDN}" ContentApiCertificate: Type: AWS::CertificateManager::Certificate @@ -537,8 +553,10 @@ Resources: # Prefix: !Sub "${SubdomainName}-content.${BaseDomainName}" Origins: - Id: ContentBucket - DomainName: !GetAtt ContentBucket.DomainName - S3OriginConfig: {} + DomainName: !GetAtt ContentBucket.RegionalDomainName + OriginAccessControlId: !GetAtt ContentOriginAccessControl.Id + S3OriginConfig: + OriginAccessIdentity: "" DefaultCacheBehavior: TargetOriginId: ContentBucket AllowedMethods: [DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT]